isdataat rule option verifies the payload data exists at a specified location.
isdataat is specified with the
isdataat keyword, followed by a colon character, followed by a number that signals where to look for packet data, and lastly followed optionally by
,relative to tell Snort to look for data starting from a previous cursor move.
Users can also specify a negated
isdataat check with
! placed before the number to check that certain amount of data is not present at a specified location in the payload.
isdataat numbers are 0 through 65535 (inclusive). This means that
isdataat:0 checks that there is at least one byte present after the current cursor location.
content:"USER"; # checks for at least 30 bytes after "USER" since valid isdataat numbers start at 0 isdataat:29,relative; content:!"|0a|", within 30;